Posted
by
EditorDavid
on Saturday September 23, 2017 @11:30PM
from the consumer-credit-criticisms dept.

Security researcher Brian Krebs complains that Experian's identity-protecting credit freezes are easily unfrozen online. An anonymous reader quotes the Verge:
Experian makes it easy to undo a credit freeze, resetting a subject's PIN through an easily accessible account recovery page. That page only asks for a person's name, address, date of birth, and Social Security number...data [that] was compromised in the Equifax breach, as well as other breaches, so we can probably assume hackers possess this information. After entering that data, attackers then just have to enter an email address -- any email -- and answer a few security questions.

That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them. Much of that information is available through a person's own social media accounts, search engines, or Yellow Pages-like databases, including Spokeo and Zillow... In response to Krebs' report, Experian claims that it goes beyond the measures identified to authenticate users. "While we do not disclose those additional processes," said the company in a statement, "they include a broad array of checks that are not visible to the consumer."
Meanwhile, the Los Angeles Times reports that Experian is also advertising a "free scan of the dark Web" which actually binds anyone who accepts it to their 17,600-word terms of service, as well as acceptance of "advertisements or offers" from financial products companies -- plus "an arbitration clause preventing you from suing the company" which a spokesperson acknowledges could remain in effect for several years.

That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them.

Security questions are fine, it's people who answer them with easily checkable facts that are morons. For instance, "Who's your best friend in

What you described are security questions that a customer sets up to regain access to a service they have contracted for.

What Experian asks, as do many financial services companies, are questions drawn from either their own or another data broker's (Axciom) database of information about you. It is especially pernicious that they are continuing this after they let that database be stolen.

I gave Fidelity an earful a little while back when they were going to take away the choice of using an OTP to verify my i

The only thing you can do is to keep checking your credit reports for something suspicious. With the data they have, there is nothing you can do to 100% stop it.

Politicians SHOULD be fixing this, by forcing the credit bureaus to lock down everyone's data and come up with a foolproof way of confirming identity. But instead, I see we're all riled up on football players not standing during national anthems. Way to set priorities, America!

No, the credit bureaus should be held to the fire and nailed for a few million counts of libel. Spreading harmful information with wanton disregard for the truth is sufficient for libel. For example, claiming that you did something to become less than credit worthy without solid proof it was actually you when they know damned well fraud is rampant.

Yeah, realistically, they've gotten a pass from the courts and legislature since forever. Of course, we did eventually see some judges actually start demanding proof of mortgages from banks and the banks come up short.

Extend the libel liability to the lenders too. If they lend money to some Tom Dick or Harry and they report to the credit reporting agencies that I am in default, they should be held liable for damaging my reputation and credit worthiness.

That is what will reduce identity theft. People steal identities because they are able to easily borrow based on stolen identities. We need to make it very difficult to borrow with stolen identities.

In most other countries, it's hard to get a mortgage without paying credit-card interest rates. Why is this? Because the concept of a "credit rating" doesn't exist in any meaningful way. As a result, it's nearly impossible for banks to assess risk in a highly-standardized fashion. This, in turn, means that entities like Fannie Mae and Freddie Mac (who underwrite the vast majority of non-mansion-sized mortgages) cannot exist either, because standarization o

Here's what will keep happening during the next years: entire "systems" that are riddled with horrible security practices and no competent personel to care of it will come crashing down after years of negligence.I dunno how many of them will be in such a spectacular cascade of revelations, but I imagine that a sizeable portion will be.Security professionals and conscious people have been warning for a while that stuff like that was going to eventually happen, but businesses, services and corporations small and large have not only been ignoring things so far, they have been introducing more and more points of failure over the years.We are only starting to walk in the middle of a minefield. By the end of it, if we didn't already go to a full blown war, privacy will be dead for a whole ton of people, rights violated and trampled.It's pretty much the perfect storm crime/theft/scam. All that data that's being leaked, hacked into, collected and harvested to be sold, or actively spied and taken in real time is accumulating somewhere, perhaps in databases inside the darknet, by criminals and hacker groups, by corporations that will eventually take advantage of it. It'll be terabytes upon terabytes of sophisticated dossier databases that will give all sorts of private information about anyone with a single search.People don't react to it and don't seem to care all that much because that information can be exploited slowly. Who cares if someone got his/her identity stolen, as long as it's not happening to me it's ok. But one day it will. And then, it's no use getting angry and trying to fight against it because much as yourself once did, no one cares.This is our future.

I know how the US hates to do things as they are in the rest of the world (Metric, PIN for cards,...) yet her just some info how we handle credit info and data in Belgium.1) You need an official ID (We have one, but you could use other things that are official as well to make this work. Drivers license, presentation at city hall with a code,...) These can be lost and replaced. https://www.checkdoc.be/ [checkdoc.be] to see if they are valid or not2) All credits and loans are kept by the National Bank of Belgium3) To acc

It seems that you get organisations (I use that word deliberately, to include private sector and government) where once in a while somebody drops the ball and there's a bit of a balls-up but they fix it in good order, learn the lessons and move on.

Then there are others that lurch from one crisis into two more, like Hobbes' Leviathan made of Mr Bean clones.

Yet ANOTHER ham fisted reaction to what ought to be a pretty straight forward mea culpa, fix of issues, etc. Their leadership is simply not trustworthy and that's paramount in this particular business.

I read an article in The Guardian where a security expert recommended that uses (in the UK) put a "Notice of Correction" on their Experian(UK) file (and others):Jamieson sent a notice of correction to the three main credit reference agencies. It states: “I, Jamie Jamieson, of [his address], do hereby declare that when my signature is required for any financial product or service, I will authenticate it with my thumbprint. Failure by me to comply with this direction should result in the service or product being withheld. Any application without a thumbprint should be considered fraudulent. I will inform you in writing, signed and thumbprinted, of any changes to this notice of correction.”

This would seem to be a good solution. A fraudster would not necessarily know about the thumbprint requirement and when asked for a thumbprint would be reluctant to put his own thumbprint on a document. If they did, they could be traced by the thumbprint. It wouldn't require the creditor to check the thumbprint unless there was a problem.

Would this work in the US?(The US credit bureaus allow you to add a "Statement" to your account.)(I know that fingerprints can be copied and faked but this would probably stop a lot of opportunistic fraud.)

Would this work in the US?
(The US credit bureaus allow you to add a "Statement" to your account.)
(I know that fingerprints can be copied and faked but this would probably stop a lot of opportunistic fraud.)

Nice idea, but sadly it would not work in the current system. For years I have called credit card companies in advance to make a statement that I am traveling to a foreign country so don't put my charges on hold when I use my card there. First charge, they always ignore the statement and put my card on hold until they can contact me. After that they will allow it to be used. No credit company is going to follow any special instructions from the consumer given to a rating agency. Sometimes lenders will not e

This thumbprint thing, even if not followed by certain creditors, will at least give you plausible deniability of fraudulent charges not made by you. I see it as being more of a headache though when it comes to shopping. You would have to carry ink around in order to post your thumbprint as most places aren't going to have spare ink laying around.